From owner-freebsd-security Mon May 13 4:16:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id 205C537B403 for ; Mon, 13 May 2002 04:16:43 -0700 (PDT) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id PAA03274; Mon, 13 May 2002 15:16:36 +0400 (MSD) Received: from 217.195.79.7 ([217.195.79.7]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id KHFVGFSK; Mon, 13 May 2002 15:16:25 +0400 Date: Mon, 13 May 2002 15:16:24 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A. Kritsky" X-Priority: 3 (Normal) Message-ID: <622555674.20020513151624@internethelp.ru> To: "Drew Tomlinson" Cc: security@FreeBSD.ORG Subject: Re: Allowing FTP Through *My* IPFW Firewall In-reply-To: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov> References: <00f701c1f781$b77478b0$6e2a6ba5@lc.ca.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Drew, I think you should read FTP RFC (#0959 AFAIK), the part about "passive mode" FTP. I think that in your case it is the only thing to do. Or try to read manual to your 3COM modem, to search something like FreeBSD's `punch_fw' option. Thursday, May 09, 2002, 9:48:23 PM, you wrote: DT> I'm trying to figure out what rule I need to add or change to allow ftp DT> sessions to pass through my ipfw firewall. I have search the archives DT> but the only conclusions I have found is that this is a difficult task DT> because of the nature of ftp. I'm hoping someone can help me with my DT> specific situation. DT> Here is how my home network is configured: DT> ISP DT> | DT> | Public DHCP address DT> | DT> 3Com ADSL Modem/Router DT> (Router performs NAT and passes packets to 10.2 by default) DT> | (192.168.10.1) DT> | DT> | DT> | (ed1 192.168.10.2) DT> FBSD Gateway DT> | (ed0 192.168.1.2) DT> | DT> | DT> Internal LAN DT> These are my current firewall rules: DT> blacksheep# ipfw list DT> 00100 allow ip from any to any via lo0 DT> 00200 deny log ip from any to 127.0.0.0/8 DT> 00300 deny log ip from 192.168.1.0/24 to any in recv ed1 DT> 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0 DT> 00500 check-state DT> 00600 allow tcp from 192.168.1.0/24 DT> 21,22,25,80,143,389,443,993,5405,10001 to any established DT> 00700 allow tcp from any to 192.168.1.0/24 DT> 21,22,25,80,143,389,443,993,5405,10001 DT> 00800 allow tcp from 192.168.10.2 to any 21,22,8021 established DT> 00900 allow tcp from any to 192.168.10.2 21,22,8021 DT> 01000 allow icmp from any to any icmptype 3,4,11,12 DT> 01100 allow icmp from any to any out icmptype 8 DT> 01200 allow icmp from any to any in icmptype 0 DT> 01300 reset log tcp from any to any 113 DT> 01400 allow udp from 206.13.19.133 123 to 192.168.10.2 123 DT> 01500 allow udp from 165.227.1.1 123 to 192.168.10.2 123 DT> 01600 allow udp from 63.192.96.2 123 to 192.168.10.2 123 DT> 01700 allow udp from 63.192.96.3 123 to 192.168.10.2 123 DT> 01800 allow udp from 132.239.254.49 123 to 192.168.10.2 123 DT> 01900 allow udp from 192.168.10.1 to any DT> 02000 allow udp from any to 192.168.10.1 DT> 02100 allow ip from 192.168.10.2 to any keep-state out xmit ed1 DT> 02200 allow ip from 192.168.1.0/24 to any keep-state via ed0 DT> 65500 deny log ip from any to any DT> An FTP client on the outside can establish as session and login through DT> the firewall but fails when the first data transfer (listing the remote DT> directory) begins. Here is a sample entry from my security log: DT> May 9 09:56:57 blacksheep /kernel: ipfw: 65500 Deny TCP DT> 207.173.226.108:2191 192.168.1.4:49172 in via ed1 DT> Any help would be appreciated. DT> Thanks, DT> Drew ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message